Apache Santuario
- Home
- Download
- Security Advisories
- FAQ
- Team
- Contributing
- Mailing Lists
- Issue Tracking
- History
- Old News
Apache XML Security for Java
- Index
- Download
- Release Notes
- FAQ
- API
- Interoperability
After discussion with the Santuario PMC, it has been decided to address the long term lack of support for the C++ library by formally retiring the code here at Apache. The Java code of course remains well supported and will continue to be developed.
As of now, the C++ code is frozen here. The current sole maintainer will be transferring the source code to the Shibboleth Project and it will be maintained by that team for some period of time because it is a dependency of that software, but it will not be supported for any third-party use. It is estimated that the code will be fully retired some time before 2030. The code will be publically hosted and accessible after the transition, and the license is not changing.
Once the code transition occurs, which may not be for some time yet, we will update more of the site as is appropriate to reflect the transition. In the event a significant issue arises with the library prior to the transition, we will endeavor to address it here.
The Apache Santuario™ project is aimed at providing implementation of the primary security standards for XML. Two libraries are currently available.
Use the links below to download a distribution of Apache Santuario from one of our mirrors. It is good practice to verify the integrity of the distribution files. Apache Santuario releases are available under the Apache License, Version 2.0 - see the LICENSE.txt and NOTICE.txt files contained in each release artifact.
Older releases are available in the archive.
It is essential that you verify the integrity of the downloaded files using the PGP signatures. Digest verification ensures the file was not corrupted or tampered with but provides no real verification of authenticity. PGP verification ensures that the file is authentic. In practice, PGP verification is much more important and makes checksum verification redundant.
The PGP signatures can be verified using PGP or GPG. First download the Apache Santuario KEYS as well as the *.asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using:
% pgpk -a KEYS % pgpv xml-security-bin-1_4_4.zip.asc or % pgp -ka KEYS % pgp xml-security-bin-1_4_4.zip.asc or % gpg --import KEYS % gpg --verify xml-security-bin-1_4_4.zip.asc
To verify the SHA checksum on the files, you need to use a program called sha1sum (or sha256sum, etc.), which is included in many unix distributions. It is also available as part of GNU Textutils. Windows users can get binary digest programs from here or an openssl client from here.
% sha1sum xml-security-X.Y.tar.gz ... output should match the string in xml-security-X.Y.tar.gz.sha1
We strongly recommend you verify your downloads with PGP.